Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two conditions for Lookup

DanielAmlung
Path Finder
‎01-04-2021 07:18 AM

Hi,

iam stuck with a problem where i need help from you guys. I have a search that runs IDs against a lookup to determine if that ID is from Production or Test Environment. Problem is: some IDs are double, means they exist in Prod and in Test. So when I search and hit one of those IDs they count against Prod and against Test. So i wanted to filter for two conditions that must be met - First would be the specific ID and second would be the environment. I cant get that to work, is there any way to select two conditions that must be met before the lookup give back an result?

I appreciate any feedback 🙂

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanielAmlung
Path Finder
‎01-28-2021 04:00 AM

Fixed it

 

/close

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DanielAmlung
Path Finder
‎01-28-2021 04:00 AM

Fixed it

 

/close

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-04-2021 08:12 PM

lookup command takes as many conditions as needed

| lookup lookup_file id environment

that means you have to provide environment as a constraint to the lookup - is that what you mean?

you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?

 

 

 

0 Karma
Reply
Solved! Jump to solution

DanielAmlung
Path Finder
‎01-04-2021 11:48 PM

 

Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3.

Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.  Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.

 

Example search with mvexpand:

index=XX  sourcetype=iis

NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*" 

| search XXid=XX475 

| lookup local=true lkp_XX_ids_kv XXId AS xx_id  OUTPUTNEW SourceSystemName as source_system Environment

| mvexpand Environment

|search Prod

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...